[#11189] - Force SSL Check might fail
- Fixed in Code Base
- 27 Jul 2016
- Medium
- Build: staging
- # 11189
- Diff
- jo-sf:patch-18
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Assume you have a HTTPS server set up with a self-signed certificate or with a certificate signed by a private CA. Moreover assume that the common name in the server's certificate doesn't match the server name used in accessing the server via HTTP/HTTPS (this might be due to DNS problems).
If you try to set "Force HTTPS" in the global configuration to either "Administrator Only" or "Entire Site" you'll get first a message that the configuration was saved successfully, but you also get a warning that the server cannot be reached via HTTPS. The result of this is that "Force HTTPS" is reset to "None".
If the common name in the server's certificate matches the server name used in accessing the server via HTTP you can change the "Force HTTPS" setting at will even if the certificate is self-signed or is signed by a private CA. This is due to the flag CURLOPT_SSL_VERIFYPEER being set to false prior to checking whether a HTTPS connection to the server is possible.
If this is expected behaviour then you should also set the flag CURLOPT_SSL_VERIFYHOST to false such that the certificate's common name is no longer checked against the host name used in accessing the server via HTTPS. This is what this PR does.
The check whether the HTTPS certificate presented by the server is valid is completely delegated to the visitor of the site or the backend. This was already partly the case with the setting of the CURLOPT_SSL_VERIFYPEER flag.
An alternate, more secure approach to this topic would be to add another configuration option which disables the checks of the HTTPS certificate. This configuration option should be shown only when the "Force SSL" option is set to "Administrator Only" or "Entire Site", and it's default value should be "Check Certificate".
Another problem in checking whether HTTPS is available might arise if you have a proxy set in your global configuration (see also PR #11193). In this case that proxy will be contacted in order to access the local server by means of HTTPS which will probably not work.
By setting the flags CURLOPT_PROXY and CURLOPT_PROXYUSERPWD to NULL contacting the proxy server will be disabled.
Test instructions
Please prepare your test environment as follows:
- you need a Joomla installation that can be reached via HTTP and HTTPS (both with default ports)
- the HTTPS certificate can be self-signed, it must contain a common name valid for your server
- your server must be reachable also via any other name (short name without domain, IP address)
- the "Force HTTPS" must be set to "None"
- "Enable Proxy" must be set to "No"
- you do not need a proxy server but if you have one you can use it for your tests
- I assume that no proxy server is running at your server at port 3128, if you have one use a different port below in the proxy server related test cases
Test cases without PR applied:
Test case (1): enable "Force SSL" for the backend via common name
- login to the backend via HTTP using the common name from the HTTPS certificate
- go to "Global Configuration"
- change "Force HTTPS" to "Administrator Only" and save settings
- you should get a message saying that saving the configuration was successful
- check that "Force HTTPS" is set to "Administrator Only"
- check that you have been switched to HTTPS automatically
- change "Force HTTPS" to "None" and save settings
- logout from the backend
Test case (2): enable "Force SSL" for the backend via any alternate name
- login to the backend via HTTP using any other name or the server's IP address
- go to "Global Configuration"
- change "Force HTTPS" to "Administrator Only" and save settings
- you should get a message saying that saving the configuration was successful
- you should also get a message saying that activating HTTPS is not possible since your server doesn't support HTTPS
- check that "Force HTTPS" is set to "None"
- logout from the backend
Test case (3): enable "Force SSL" for the backend with a proxy being set
- login to the backend via HTTP using the common name from the HTTPS certificate
- go to "Global Configuration"
- set "Enable Proxy" to "yes", set "Proxy Host" to "127.0.0.1" and set "Proxy Port" to "3128"
- save settings, check afterwards that the proxy is enabled in the global configuration
- change "Force HTTPS" to "Administrator Only" and save settings
- you should get a message saying that saving the configuration was successful
- you should also get a message saying that activating HTTPS is not possible since your server doesn't support HTTPS
- check that "Force HTTPS" is set to "None"
- set "Enable Proxy" to "no" and save settings
- logout from the backend
Apply the patch, then repeat the above test cases:
Test case (1): enable "Force SSL" for the backend via common name
- this test case should work as described above
Test case (2): enable "Force SSL" for the backend via any alternate name
- this test case should now work as well, there should be no difference to the first test case
- please change "Force HTTPS" to "None" and save settings afterwards, then logout for the next test case
Test case (3): enable "Force SSL" for the backend with a proxy being set
- login to the backend via HTTP using the common name from the HTTPS certificate
- go to "Global Configuration"
- set "Enable Proxy" to "yes", set "Proxy Host" to "127.0.0.1" and set "Proxy Port" to "3128"
- save settings, check afterwards that the proxy is enabled in the global configuration
- change "Force HTTPS" to "Administrator Only" and save settings
- you should get a message saying that saving the configuration was successful
- check that "Force HTTPS" is set to "Administrator Only"
- check that you have been switched to HTTPS automatically
- change "Force HTTPS" to "None" and save settings
- set "Enable Proxy" to "no" and save settings
- logout from the backend
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
@andrepereiradasilva I moved the code suggested in PR #11193 to this PR
can you update the desciption with the recent changes and have more clear test instructions?
@andrepereiradasilva Yes I wrote the original PR but I was guided by a bunch of people who know more than me :)
Since we only want to check if the site is accessible via HTTPS, I guess this is fine, we just want to prevent a lockout.
I do disagree with adding an option to check the certificate as well. Checking your certificate should be part of your certificate installation not of the Joomla configuration.
Let's ping @JoshuaLewis see what his input is as well.
@andrepereiradasilva I just updated the initial description (by adding the problem from PR #11193) and I wrote test instructions for this PR (hope they are clear enough).
@roland-d My idea of adding another option that enables checking the certificate was meant for the case that Joomla should check the certificate used for the server, but I agree with you that this should be done by the administrator of the site and not by Joomla. With your patch unfortunately some checks were done with respect to the server's certificate and I wasn't sure whether this is by intention or not.
@andrepereiradasilva Unfortunately my update of the initial description can only be seen in GitHub but not here in the issues tracker...
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11189.
it takes time to update i guess
I have tested this item
Easier test than it seems.
Works fine and it's important.
Just one comment. I use linux so for the test two to work i have to have the second host definied in the /etc/hosts file or it will not work (with or without the PR). I guess in windows (C:\Windows\System32\drivers\etc\hosts) should be the same thing.
I think this happens because curl has to resolve the hostname and it uses the OS for that.
Maybe a new PR for changing the warning message to a more epxlict message indicating that is needed.
BTW you don't need to logout at each step.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11189.
@andrepereiradasilva Regarding your comment for test two: whether you have to change your local hosts file or not (yes that would be the same with windows) depends upon your network setup. If you have a working local DNS setup including domain name search strings within your resolv.conf file you do not need to change your hosts file (and in fact you should not change the hosts file in this case).
Let's assume that your local DNS domain is example.com and that your DNS search string is also example.com. The name of your test server might then be jtest.example.com.
Using nslookup, dig, host or any other host lookup tool or simply ping should cause both the short server name jtest and the long server name jtest.example.com being evaluated to the same IP address.
yes it's a host/DNS configuration problem so no issue. that's why i marked as success.
my comment is more to alert other testers.
BTW i used one registered domain (domain.tld) and a local domain (domain.local) as you guessed
@jo-sf and @roland-d I have reviewed the information, I don't have the possibility to test it.
I think we need to implement this.
Joomla is not the one who needs to test if a certificate is the correct one, simply because you would use fake or wrong or even no certificate in development environments.
The browser is the one who checks if a certificate is correct, based on kind, CN, Revocation and other things.
I work daily with security, tls and other things like this and would propose to make this change.
I hope I can test it or someone else.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11189.
brianteeman
- | Category | ⇒ | Administration |
I have tested this item
I was able to test the patch.
It now even works when the CN of the certificate is not the same as the CN of the website.
Exactly how it should work and off course the browser gives you a error that the certificate is wrong after enabling force ssl.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11189.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-07-27 05:02:30 |
| Closed_By | ⇒ | roland-d |
| Category | Administration | ⇒ | Administration Components |
@andrepereiradasilva
PR #9584 which is by the way already merged into the current code
contains the code that checks whether HTTPS is available when "Force
SSL" shall be enabled. This code works fine as long as the server name
used in accessing the Joomla installation is identical to the common
name used in the certificate. The code however doesn't check whether the
CA that signed the server certificate is trusted.
My PR #11189 enhances the HTTPS check such that a mismatch between the
server name used in accessing the Joomla installation and the common
name used in the server's certificate is ignored. This setting is not
part of PR #9584.
Am 19.07.2016 um 11:52 schrieb andrepereiradasilva: